Doesn distributing the source code decrease security?
Absolutely not. A reasonably determined adversary can simply reverse engineer the machine code that comprises the program and analyse this [GW96]. University students are capable of undertaking this task, so it is extremely naïve to believe that the intelligence agencies can’t. As an example, Netscape and Microsoft refuse to release the source code of their security related software for peer review [GW96]. As a result of this lack of peer review, two of the most popular implementations of SSL were totally insecure against a determined adversary. One notes that even the “secure” versions of the browsers (e.g. the domestic US versions of the software) suffered from this security hole. Quoting directly from the paper: “Peer review is essential to the development of any secure software. Netscape did not encourage outside auditing or peer review of its software – and that goes against everything the security industry has learned from past mistakes. By extension, without peer review and inte
Related Questions
- There are lots of security term and definition pairs. What definitions does the stakeholder need to filter out before distributing a definition set to the RE team?
- If the source code is published, hackers can surly read it and find ways into the software causing security risks?
- Doesn distributing the source code decrease security?
